August 12th, 2012, 03:46 AM
-
Fail-Stop Signature Scheme
Hi everyone,
Regarding Fail-stop signature scheme, im not too sure how do you prove a forgery.
For example:
public key: y1 , y2
private key: a , b, c, d
generator: g
random number: r
modulo : p
y1 = g^a * r^b % p
y2 = g^c * r^d % p
With the above example, an unbounded adversary will be able to find a few sets of private keys that can get y1 & y2. However how do you prove a forgery this way?
So far my guess is to ask the signer to provide the correct private keys?
thanks in advance!